How closely is the board paying attention to cyber risks?

Board members can face liability, either for taking an action or failing to take action. As business becomes increasingly driven by technology on all levels, corporate board members are increasingly at risk because of their duty to exercise oversight and monitor all aspects of a company’s technological operations. This includes everything from how electronic information is stored, the company’s IT operations, privacy issues, the protection of assets in digital form, and the company’s day-to-day technology processes.

After all, at the first whiff of a problem, prosecutors and regulators, as well as shareholders in some cases, and others, will all ask the same question: “Who is responsible?” And regardless of who’s to blame, the beginning and the end of the inquiry will lie with the board.

For board members, the good news is that, historically speaking, the likelihood of a board member being held personally liable for negligent oversight of a public company is likely to be one in a million. The reason is simple: Director’s and officer’s insurance almost always covers any liability or settlement. According to one study, between 1980 and 2005, there were only 12 cases where directors were forced to make payments that were not covered by insurance, including legal fees. But this does not mean in any way that board members should expect a free pass. The reputation damage and soft costs can be immeasurable.

How claims can arise

Director’s liability law is fairly well established, and claims typically arise in one of two scenarios:

The directors should be liable because they made a decision or took an action was either negligent or ill-advised (i.e., they breached their duty of care); or

The directors failed to act in a situation where a loss could and should have been prevented (i.e., they breached their duty of loyalty).

Claims alleging a breach of the duty of care are unlikely to succeed because directors enjoy the protections of the director-friendly business judgment rule. Essentially, this immunizes a director’s conduct from judicial scrutiny as long as the decision is informed, made in good faith, and with the genuine belief that the decision was made in the company’s best interest. Even if a plaintiff can overcome the presumptions in favor of a director by showing gross negligence, many companies have adopted charter or bylaw provisions consistent with Delaware law, thereby insulating directors from liability for a breach of their duty of care.

In the second scenario, a director is not insulated from liability under Delaware law, and a director’s conduct is evaluated under the standards enunciated in Caremark International Inc. Derivative Litigation and its progeny. This oversight liability attaches when directors consciously disregard their responsibilities, either by the following:

Failing to implement a sufficient reporting system; or

After implementing a reporting system, failing to properly oversee or monitor its operations by serving as passive recipients of information.

Simply put, making no decision may indeed be worse than making any decision, even a bad one. A key determinant of a director’s liability is how they act once a red flag is identified.

As every director has probably experienced, these important corporate decision-makers are more scrutinized than ever before because of corporate scandals that led to the adoption of Sarbanes-Oxley and the more recent Dodd-Frank Act. As a result, board members are now required to spend more time on oversight of a company’s operations than in prior years.

Cybersecurity should be top of mind

New technologies and cyber security present particular challenges for directors and pose potential increases in their liability. As technology continues to play an increasingly important role in corporate management and governance, with companies of all sizes becoming more dependent on technology for all facets of their operations, ranging from communicating via texts and emails to storing records electronically and maintaining critical and proprietary information digitally.

As a result, cybersecurity should be at or near the top of the agenda for any corporate boards. On a regulatory level, fines for data breaches can be substantial and civil litigation is guaranteed to follow. Recent incidents involving large retail stores serve as a stark reminder of the significant dollar and reputation costs of a data breach.

Additionally, a company’s insurance program may or may not be sufficient to protect a director and a company from cyber risk. The key, of course, is reviewing and assessing the company’s insurance policies before a problem occurs. As a director, this should be an agenda item at or near the top of the board’s list of priorities.

In all likelihood, absent an incident, it is likely that board members are not spending sufficient time evaluating or analyzing the risks inherent in new technologies, as well as their related cybersecurity risks. In part, many directors are ill equipped to fully appreciate or evaluate such issues considering the dearth of board members with significant IT experience.

Further, even if a board has evaluated these risks, to what extent is such an evaluation dependent on a company’s IT department — the same group implementing the existing technology protocols? Multiple surveys report that data security is a top concern for corporate executives and, by implication, corporate directors. The obvious question for directors, then, is whether they are taking sufficient steps today to protect their company’s digital assets, or whether hindsight will prove they were negligent.

Of course, directors are not expected to foresee every potential liability that a company may face. But the law requires them to be actively engaged in decision making and oversight. Indemnification provisions in bylaws or charters, as well as standard D&O insurance policies, are two ways that directors can limit their own out-of-pocket liability. Although the law has further built-in protections as exemplified in the business judgment rule, directors must be mindful of their oversight responsibilities and the liability that can attach when shirking those duties.

Contributing Author

Steven P. Blonder

Steven P. Blonder is a principal in the Litigation and Dispute Resolution practice group at Chicago-based Much Shelist. His practice is primarily focused in the...